Bug 11151 - overflow() at realpath
Summary: overflow() at realpath
Status: NEW
Alias: None
Product: uClibc
Classification: Unclassified
Component: Other (show other bugs)
Version: 0.9.33.2
Hardware: All Linux
: P5 normal
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-12 16:13 UTC by Dhiraj
Modified: 2018-07-12 16:13 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dhiraj 2018-07-12 16:13:10 UTC 
uClibc

File: canonicalize.c line number 36

According to the documentation of realpath() the output buffer needs to be at least of size PATH_MAX specifying output buffers large enough to handle the maximum-size possible result from path manipulation functions. (In that instance, buf's size comes from uv__fs_pathmax_size(). That function attempts to use pathconf(path, _PC_PATH_MAX) as noted in the realpath(3) docs)

But over here uv__fs_pathmax_size() nor pathconf(path, _PC_PATH_MAX) is used.

Passing an inadequately-sized output buffer to a path manipulation function can result in a buffer overflow. Such functions include realpath() readlink() PathAppend() and others.